Blog Post
What Keeps a CISO Up at Night? New Cybersecurity Regulations
September 13, 2022
As regulators usher in new rules and policies, chief information security officers (CISOs) face growing workloads. Not only do you have the often thankless job of blocking cyberthreats, but you also have to keep up with a growing list of regulations and standards. With this increased regulatory pressure also comes the growing threat of penalties for noncompliance or negligence.
Even if regulators aren’t the ones dishing out fines, a lack of compliance could lead to lost revenue, such as by damaging relationships with customers, suppliers and other stakeholders.
Plus, both mandatory rules and voluntary compliance standards can be critical to mitigating risk, meeting stakeholder expectations and showing you can manage cyber events of all types and sizes. Many times, cyber events could have been prevented if organizations identified existing gaps in their security programs and followed voluntary yet highly suggested standards.
So, CISOs and other IT leaders have good reason to focus on cybersecurity regulations and work with others within their organizations, such as compliance/legal teams and other executives, to comply.
Digital Operational Resilience Act (DORA)
A new EU regulation, the Digital Operational Resilience Act (DORA), is in the works, with implementation expected within the next couple years. DORA is aimed at reducing digital risk within the finance industry.
“DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT [information and communications technology]-related disruptions and threats,” explains the Alternative Investment Management Association (AIMA).
But even if you’re not in finance and outside the EU, you may still want to look into DORA and see whether you need to comply or want to voluntarily follow its guidance.
Some service providers to the financial services industry, for example, will need to comply. And other regulations, like the General Data Protection Regulation (GDPR), exemplify how EU rules can extend outside of the region.
SEC and NY DFS proposed cyber regulations
The U.S. Securities and Exchange Commission (SEC) has also proposed new cyber requirements for publicly traded companies, looking at the business impact of cyber incidents.
In particular, the SEC proposes that these companies would face more stringent reporting requirements around cybersecurity incidents. They would also have to report on areas like cyber mitigation strategies and disclose the extent of board members’ cybersecurity expertise.
The New York Department of Financial Services (NY DFS) has also proposed stricter cybersecurity rules, such as around providing notice of ransomware attacks and increasing governance protocols. For example, CISOs would have to dive deeper in terms of reporting to boards.
“The Draft Amendments provide for additional annual reporting to the board on plans for remediating inadequacies, as well as timely reporting to the board on material cybersecurity issues or major cybersecurity events (which are not defined),” explains law firm Debevoise & Plimpton.
These rules have yet to take place, but CISOs may want to consider how they would comply now. Even if your company is not publicly traded, these types of requirements could be used by organizations to attract private investors, especially if you’re considering going public in the future.
NIST Cybersecurity Framework (CSF)
Another important compliance area is the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Other than being mandatory for U.S. federal government agencies, the CSF is voluntary.
Still, it offers a guide to assessing and managing your organization’s cybersecurity posture. So, CISOs may want to follow this framework to strengthen cybersecurity and be able to communicate about cyber practices with others outside the enterprise.
“In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,” explains NIST.
The CSF has three main areas:
- Framework Core: The core includes a variety of cybersecurity objectives ranging from identifying risks all the way through recovering from attacks.
- Implementation Tiers: The next area, implementation tiers, enable organizations to map their cybersecurity practices from Tier 1 (partial) to Tier 4 (adaptive). As the NIST notes, however, tiers don’t always equate with maturity levels. Instead, organizations can select tiers that align with their goals and risk tolerance.
- Profiles: Lastly, profiles lay out where an organization is at in their cybersecurity journey and where they’d like to be. “Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile with a “Target” Profile,” explains the NIST.
Cybersecurity Capability Maturity Model (C2M2)
In addition to the NIST’s cybersecurity framework, organizations might also use the Cybersecurity Capability Maturity Model (C2M2) on their own.
C2M2 “is a free tool to help organizations evaluate their cybersecurity capabilities and optimize security investments. It uses a set of industry-vetted cybersecurity practices focused on both information technology (IT) and operations technology (OT) assets and environments,” explains the U.S. Department of Energy.
C2M2 started within the energy industry, but any organization can use it. The self-evaluation model allows organizations to input information about their cybersecurity practices. They can then analyze the results to find gaps in their cybersecurity posture, and then develop and implement plans to reduce cyber risk.
CIS Critical Security Controls (CIS Controls)
CISOs may also want to follow the Center for Internet Security (CIS) Critical Security Controls (CIS Controls).
These “are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks,” explains SANS Institute, which provides training, research and certification for CIS Controls.
Some examples of the controls include having an inventory of enterprise and software assets. Others include having malware defenses and data recovery practices in place.
Cybersecurity Maturity Model Certification (CMMC)
Another way CISOs can demonstrate their organization’s strong cybersecurity posture is by following the U.S. Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC).
While the certification is particularly relevant for those that contract or subcontract with the DoD, others may also want to comply to showcase how your organization can handle sensitive data.
Obtaining a CMCC involves taking assessments that show you’ve implemented cybersecurity standards, which follow NIST requirements.
The CMCC is in the midst of changing from version 1.0 to 2.0, but meanwhile, CISOs can still look at what these standards are and get a sense of where they align with an organization’s current cybersecurity practices.
Quantify Cyber Risk to Aid Compliance
Financially quantifying cyber risk can help with compliance. Many of these regulations and standards are designed to get organizations to demonstrate they understand cyber exposure, so cyber risk quantification can help you specify the impact of your top threats.
Plus, as CISOs follow these guidelines, they may identify cybersecurity weaknesses. But it’s not always possible to fix everything at once. You may need to prioritize certain cyber initiatives over another.
A cyber risk quantification platform like Kovrr can help you determine what the ROI of various cyber investments would be. That way, you can more clearly see the impact of — and thereby prioritize — different ways to mitigate cyber risk.
Want to get a sense of where you stand now? Get started by financially quantifying your cyber risk exposure to ransomware for FREE.